]> git.mxchange.org Git - quix0rs-gnu-social.git/blobdiff - classes/Profile_tag.php
projects / quix0rs-gnu-social.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Escape SQL parameter in Profile_tag::moveTag()
[quix0rs-gnu-social.git] / classes / Profile_tag.php
diff --git a/classes/Profile_tag.php b/classes/Profile_tag.php
index de91857eb878dc66eef896222b76f16495705259..fdac14cd7163e004d03f530d472c95734bae0a67 100644 (file)
--- a/classes/Profile_tag.php
+++ b/classes/Profile_tag.php
@@ -284,8 +284,11 @@ class Profile_tag extends Managed_DataObject
                'tag = "%s", tagger = "%s" ' .
                'WHERE tag = "%s" ' .
                'AND tagger = "%s"';
-        $result = $tags->query(sprintf($qry, $new->tag, $new->tagger,
-                                             $orig->tag, $orig->tagger));
+        $result = $tags->query(sprintf($qry,
+                                       $tags->escape($new->tag),
+                                       $tags->escape($new->tagger),
+                                       $tags->escape($orig->tag),
+                                       $tags->escape($orig->tagger)));
 
         if (!$result) {
             common_log_db_error($tags, 'UPDATE', __FILE__);
This is my personal clone from the wonderful software GNUSocial. I may fix or break things here, so use it on your own risk. :-)